Systems and methods for selective access to logs

ABSTRACT

Systems are provided for managing access to a log of dataset that is generated when the dataset is accessed. A system stores, with respect to each of a log producer and a log accessor, an encrypted symmetric key for dataset that is encrypted using a corresponding public key. The system returns the encrypted symmetric key for the log producer, such that the log producer can decrypt the dataset that is encrypted using the symmetric key. A log of the dataset is generated when the log producer accesses the dataset.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/991,366, filed May 29, 2018, which claims the benefit under 35 U.S.C.§ 119(e) of U.S. Provisional Application Ser. No. 62/595,857, filed Dec.7, 2017, the content of which is incorporated by reference in itsentirety into the present disclosure.

FIELD OF THE INVENTION

This disclosure relates to approaches for managing access to logs ofdatasets (e.g., logs that are generated when the datasets are accessed).

BACKGROUND

Under conventional approaches, computing systems may require harddeletion of certain records including sensitive information (e.g.,confidential information), such as logs of datasets, which may indicatea user's intent with respect to the dataset, in order to maintainintegrity of the records. Currently, there is no secure way toselectively delete (or redact) sensitive information such thatunauthorized users are prohibited from accessing the sensitiveinformation. In addition, in some instances, particular data of thesensitive information may need to be maintained, for example, when usersof high-level authority need to maintain access to the sensitiveinformation, while access to the sensitive information by users oflow-level authority is prohibited.

SUMMARY

Various embodiments of the present disclosure can include systems,methods, and non-transitory computer readable media. In someembodiments, a first system includes one or more processors, and amemory storing instructions that, when executed by the one or moreprocessors, cause the system to perform first operations. The firstoperations include encrypting a symmetric key for dataset into first andsecond keys, using a public key of a log producer that has authority toproduce a log for the dataset and a public key of a log accessor thathas authority to access the log, respectively, and storing the first andsecond keys in a first datastore. The first operations further includestoring encrypted dataset obtained by encrypting the dataset using thesymmetric key in a second datastore. The first operations furtherinclude returning the first key, in response to a request from a userhaving authority as the log producer, such that the user can decrypt thefirst key using a secret key of the log producer, and accesses theencrypted dataset and generate an encrypted log using the decryptedfirst key. The first operations further include deleting the second keyfrom the first datastore, in response to a request for deletion, suchthat a user having the authority as the log accessor cannot decrypt theencrypted log.

In some embodiments, the first operations further include deleting thesecond key from the first datastore, in response to a request fordeletion, such that a user having the authority as the log accessorcannot decrypt the encrypted log. In some embodiments, the firstoperations further include encrypting the symmetric key for the datasetinto a third key using a public key of a second log accessor that hassecond authority to access the log. The third key is maintained in thefirst datastore upon deletion of the second key. In some embodiments,the first operations further include storing, in the first datastore,the first and second keys in association with an identifier of the logproducer and an identifier of the log accessor, respectively, andreturning the second key, in response to a request that has theidentifier of the log accessor and received before the second key isdeleted.

In some embodiments, the first operations further include storing, inthe second datastore, the encrypted log in association with the dataset.In some embodiments, the first operations further include storing, inthe first datastore, the first and second keys in association with anidentifier of the log producer and an identifier of the log accessor,respectively, and returning the first key, in response to a requesthaving the identifier of the log producer.

In some embodiments, the first operations further include storing, in athird datastore, a secret key of the log producer corresponding to thepublic key of the log producer and a secret key of the log accessorcorresponding to the public key of the log accessor. In someembodiments, the first operations further include returning the secretkey of the log producer, in response to a request from a user havingauthority as the log producer, and returning the secret key of the logaccessor, in response to a request from a user having authority as thelog accessor.

In some embodiments, a second system includes one or more processors,and a memory storing instructions that, when executed by the one or moreprocessors, cause the system to perform second operations. The secondoperations include obtaining, from a first server, an encryptedsymmetric key for dataset, the encrypted symmetric key being encryptedusing a public key of a log producer, and decrypting the obtainedencrypted symmetric key using a secret key of the log producercorresponding to the public key. The second operations further includeobtaining, from a second server, encrypted dataset that is generated byencrypting the dataset, decrypting the encrypted dataset using thedecrypted symmetric key, and upon access to the decrypted dataset,generating a log and encrypting the log using the decrypted symmetrickey.

In some embodiments, the second operations further include generating anasymmetric key pair of the public key and the secret key of the logproducer, and transmitting the public key and the secret key todifferent datastores. In some embodiments, the second operations furtherinclude obtaining the secret key from the datastore when the dataset isaccessed.

In some embodiments, the second operations further include transmittingthe encrypted log to the second server, such that the encrypted log isstored in associated with the encrypted dataset. In some embodiments,the second operations further include transmitting a request with anidentifier of the log producer and an identifier of the dataset to thefirst server, to obtain the encrypted symmetric key. In someembodiments, the second operations further include transmitting arequest with an identifier of the log producer and an identifier of thedataset to the second server, to obtain the encrypted dataset.

In some embodiments, a third system includes one or more processors, anda memory storing instructions that, when executed by the one or moreprocessors, cause the system to perform third operations. The thirdoperations include obtaining, from a first server, an encryptedsymmetric key for dataset, the encrypted symmetric key being encryptedusing a public key of a log accessor, and decrypting the obtainedencrypted symmetric key using a secret key of the log accessorcorresponding to the public key. The third operations further includeobtaining, from a second server, an encrypted log that is generated byencrypting a log that is generated when the dataset is accessed by a logproducer, and decrypting the encrypted log using the decrypted symmetrickey.

In some embodiments, the third operations further include generating anasymmetric key pair of the public key and the secret key of the logaccessor; and transmitting the public key and the secret key todifferent datastores. In some embodiments, the third operations furtherinclude obtaining the secret key from a third server when the dataset isaccessed.

In some embodiments, the third operations further include transmitting,to the first server, a request to delete a second encrypted symmetrickey for the dataset. The second encrypted symmetric key is encryptedusing a public key of a second log accessor different from the logaccessor. In some embodiments, the third operations further includetransmitting a request with an identifier of the log accessor and anidentifier of the dataset to the first server, to obtain the encryptedsymmetric key. In some embodiments, the third operations further includetransmitting a request with an identifier of the log accessor and anidentifier of the dataset to the second server, to obtain the encryptedlog.

These and other features of the systems, methods, and non-transitorycomputer readable media disclosed herein, as well as the methods ofoperation and functions of the related elements of structure and thecombination of parts and economies of manufacture, will become moreapparent upon consideration of the following description and theappended claims with reference to the accompanying drawings, all ofwhich form a part of this specification, wherein like reference numeralsdesignate corresponding parts in the various figures. It is to beexpressly understood, however, that the drawings are for purposes ofillustration and description only and are not intended as a definitionof the limits of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

Certain features of various embodiments of the present technology areset forth with particularity in the appended claims. A betterunderstanding of the features and advantages of the technology will beobtained by reference to the following detailed description that setsforth illustrative embodiments, in which the principles of the inventionare utilized, and the accompanying drawings of which:

FIG. 1 is a schematic diagram depicting an example of a system forsecurely managing audit logs of datasets, in accordance with variousembodiments.

FIG. 2 is a schematic diagram depicting an example of a secret keyserver according to some embodiments.

FIG. 3 is a schematic diagram depicting an example of a dataset keyserver according to some embodiments.

FIG. 4 is a schematic diagram depicting an example of a dataset serveraccording to some embodiments.

FIG. 5 is a schematic diagram depicting an example of a flow of datasetinvolved in a system for securely managing audit logs of datasetsaccording to some embodiments.

FIG. 6 is a flowchart of an example of a method for securely managingand providing access to audit logs of datasets according to someembodiments.

FIG. 7 is a flowchart of an example of a method for disabling access toaudit logs of datasets according to some embodiments.

FIG. 8 illustrates a block diagram of an example computer system inwhich any of the embodiments described herein may be implemented.

DETAILED DESCRIPTION

Logs generated upon access to datasets (e.g., pre-existing datasets) mayinclude sensitive information. For example, the logs may reflect userintent with respect to the datasets. Under conventional approaches,computing systems would perform hardware-based deletion of certain logsincluding sensitive information (e.g. confidential information) in orderto maintain integrity of a dataset and/or logs of the dataset. Once thesensitive information is permanently deleted from data repository onhardware basis, no user can access the deleted sensitive information.However, in some instances, the sensitive information may need to bemaintained while restricting access by some users without sufficientauthority. For example, users of high-level authority need to maintainaccess to the sensitive information, while limiting access to thesensitive information by users of low-level authority, such that theusers of high-level authority maintain access to logs generated uponaccess by the users of low-level authority. Therefore, a computer systemthat maintains integrity of datasets and logs thereof (e.g., withouthardware-based deletion of the sensitive information) may be required.

A claimed solution rooted in computer technology overcomes problemsspecifically arising in the realm of computer technology. In variousimplementations, a computing system employs a combination of symmetricand asymmetric encryption. Specifically, a computing system encrypts asymmetric key for a dataset into a plurality of keys corresponding to aplurality of users, using a public key of a log producer that hasauthority to produce a log for the dataset and public keys of logaccessors that have authority to access the log. Then, the encryptedsymmetric keys are stored in a datastore (e.g., dataset key server).Also, private keys corresponding to the public keys of the log producerand the log accessors are stored in a datastore (e.g., secret keyserver). When the computing system receives a request from a user havingauthority as a log producer, the computing system returns an encryptedsymmetric key that is encrypted using the public key of the logproducer, such that the user decrypts the encrypted symmetric key usingthe private key of the log producer obtained from the datastore (e.g.,secret key server), and decrypts the dataset that is encrypted using thesymmetric key. Similarly, when the computing system receives a requestfrom a user having authority as a log accessor, the computing systemreturns an encrypted symmetric key that is encrypted using a public keyof the log accessor, such that the user decrypts the encrypted symmetrickey using the private key of the log accessor obtained from thedatastore (e.g., secret key server), and decrypts a log generated byaccess to the dataset by the log producer. When a particular one of thelog accessors is no longer allowed to access the log, the computingsystem delete the encrypted symmetric key corresponding to theparticular log accessor from the datastore (e.g., dataset key server).

FIG. 1 is a schematic diagram depicting an example of a system 100 forsecurely managing audit logs of datasets, in accordance with variousembodiments. In the example depicted in FIG. 1 , the system 100 includesa network 102, audit producer(s) 104, a plurality of audit consumers 106₁-106 _(n) (hereinafter collectively referred to as 106), a secret keyserver 108, a dataset key server 110, and a dataset server 112. Theaudit producer(s) 104, the plurality of audit consumers 106, the secretkey server 108, the dataset key server 110, and the dataset server 112are coupled to the network 102.

In the example of FIG. 1 , the network 102 is intended to represent avariety of potentially applicable technologies. For example, the network102 can be used to form a network or part of a network. Where twocomponents are co-located on a device, the network 102 can include a busor other data conduit or plane. Depending upon implementation-specificor other considerations, the network 102 can include wired communicationinterfaces and wireless communication interfaces for communicating overwired or wireless communication channels. Where a first component islocated on a first device and a second component is located on a second(different) device, the network 102 can include a wireless or wiredback-end network or LAN. The network 102 can also encompass a relevantportion of a WAN or other network, if applicable. Enterprise networkscan include geographically distributed LANs coupled across WAN segments.For example, a distributed enterprise network can include multiple LANs(each LAN is sometimes referred to as a Basic Service Set (BSS) in IEEE802.11 parlance, though no explicit requirement is suggested here)separated by WAN segments. An enterprise network can also use VLANtunneling (the connected LANs are sometimes referred to as an ExtendedService Set (ESS) in IEEE 802.11 parlance, though no explicitrequirement is suggested here). Depending upon implementation or otherconsiderations, the network 102 can include a private cloud under thecontrol of an enterprise or third party, or a public cloud.

In the example of FIG. 1 , each of the audit producer(s) 104, theplurality of audit consumers 106, the secret key server 108, the datasetkey server 110, and the dataset server 112 may represent one or morecomputing devices including one or more processors and memory. Theprocessors can be configured to perform various operations byinterpreting machine-readable instructions.

The audit producer(s) 104 may include one or more users (e.g., humanand/or artificial agent), each of which may be eligible to haveauthorization to access a dataset stored in the dataset server 112, andpossibly a user (human or artificial agent) that has no access privilegeand/or limited access privilege to access a dataset stored in thedataset server 112. In some embodiments, the audit producer(s) 104accesses the secret key server 108 and/or the dataset key server 110 toobtain data (e.g., keys) that is required to access the dataset storedin the dataset server 112.

In some embodiments, when the audit producer(s) 104 accesses a datasetin the dataset server 112, an audit log of the specific access to thedatastore is generated. Depending on a specific implementation of theembodiments, the audit log may be generated in the audit producer(s) 104or in the dataset server 112, and stored in the dataset server 112. Insome embodiments, the audit log includes a secure audit log includingsecure data components that requires authorization to access and anon-secure audit log without the secure data components. For example,the secure data components may include confidential information thatshould be disclosed to users (human or artificial agents) of certainprivilege. In some embodiments, a single audit log includes a securedata portion and non-secured data portion. The secured data portion andthe non-secured data portion have similar characteristic as the secureaudit log and the non-secure audit log, respectively. The secure auditlog and/or the secure data portion of an audit log are stored in asecure manner, for example, in the dataset server 112. In someembodiments, a plurality of audit logs generated in accordance withaccess to a dataset may be stored and managed separately based on users(e.g., the audit producers) who accessed the dataset. For example, oneor more audit logs generated in accordance with access to a dataset by afirst user are stored and managed separately from one or more audit logsgenerated in accordance with access to the dataset by a second user.Such separate storage and malmanagement of audit logs enable more securemanagement thereof.

Each of the audit consumers 106 may include a user (e.g., human and/orartificial agent) that is eligible to have authorization to access oneor more of audit logs that are generated upon access by the auditproducer(s) 104. In some embodiments, each of the audit consumers 106accesses the secret key server 108 and/or the dataset key server 110 toobtain data (e.g., keys) that are required to access the audit logs inthe dataset server 112.

In some embodiments, the audit consumers 106 are categorized into aplurality of classes (i.e., the audit consumers 106 ₁-106 _(n))corresponding different audit roles. That is, the audit consumer 106 ₁may correspond to an audit consumer of a first class (or first auditrole), the audit consumer 106 ₂ may correspond to an audit consumer of asecond class (or second audit role), and so on. In a specificimplementation of the embodiments, each class of audit consumers mayhave a unique access privilege to datasets in the dataset server 112, ora unique access privilege to audit logs in the dataset server 112. In aspecific implementation of the embodiments, the audit roles of the auditconsumers may include an audit administrator, an analytics role, abranch information manager, an organizational information manager,and/or an inspector general. The audit administrator has a role ofreading audit logs (occasionally) to check if the audit logs are beingproduced correctly. The audit analyst has a role of reading audit logsto feed analytics (e.g., for machine learning). The branch informationmanager has a role of reading audit logs to check on activities of theaudit analyst. The organizational information manager also has a role ofreading audit logs to check on the activities of the audit analyst. Theorganizational information manager may be limited to human agents, orusers who have access to the dataset. The inspector general includes aninternal or external authority that requires special investigativepowers. The inspector general may be limited to human agents, or userswho have access to the dataset.

The secret key server 108 is intended to represent a datastore forstoring secret keys. In some embodiments, the secret keys includes asecret key (private key) unique to the audit producer 104, a secret keyunique to each of the audit consumers 106. A secret key is a part ofasymmetric key pair that includes the secret key and a public key, anddata encrypted by a public key is decryptable by a corresponding secretkey. In some embodiments, the secret keys are securely stored in thesecret key server 108 such that only a user of a secret key have accessto the secret key in the secret key server 108. In some embodiments,public key(s) of the audit producer(s) 104 and public keys of the auditconsumers 106 are openly disseminated for encryption of data. Forexample, the public key(s) of the audit producer(s) 104 and the publickeys of the audit consumers 106 are disseminated to the dataset keyserver 110.

The dataset key server 110 is intended to represent a datastore forstoring dataset keys of datasets. In some embodiments, a dataset key ofa dataset is a symmetric key, which can be used for both encryption anddecryption of data. Depending on a specific implementation of theembodiments, a single dataset key may corresponds to a single dataset ora group of datasets. The symmetric key employs an applicable encryptionstandard and algorithm, such as advanced encryption standard (AES),Anubis, GrandCru, data encryption standard (DES). In some embodiments, adataset key is generated when corresponding dataset(s) is generated(e.g., by a user who created the dataset(s)). In some embodiments, adataset key for a dataset stored in the dataset key server 110 isencrypted using each of the public keys of the audit producer(s) 104 andthe public keys of the audit consumers 106. Depending on a specificimplementation of the embodiments, a user who created the dataset, thedataset key server 110, the dataset server 112, or another agentencrypts the dataset key.

The dataset server 112 is intended to represent a datastore for storingat least datasets. In some embodiments, the datasets in the datasetserver 112 are encrypted using corresponding dataset keys. In someembodiments, the dataset server 112 also stores audit logs correspondingto the datasets in association with the datasets. Further, when theaudit logs are stored in the dataset server 112, the audit logs areencrypted using dataset keys of corresponding dataset.

FIG. 2 is a schematic diagram depicting an example of a secret keyserver 202 according to some embodiments. In an embodiment, the secretkey server 202 corresponds to the secret key server 108 depicted in FIG.1 . In the example depicted in FIG. 2 , the secret key server 202includes an authentication engine 204, a communication engine 206, and asecret key datastore 208.

The authentication engine 204 functions to perform authentication of auser when an access request is received from the user through acommunication interface (not shown) of the secret key server 202.Depending on a specific implementation of embodiments, theauthentication engine 204 employs an applicable authentication scheme toperform the authentication. For example, the authentication engine 204may employ certificate-based authentication, passcode-basedauthentication, and biometric-based authentication, and/or a combinationthereof. Depending on a specific implementation of embodiments, datatransacted for the authentication are encrypted to ensure more securemanagement of the secret keys in the authentication engine 204.

The communication engine 206 functions to manage communication withexternal devices, such as the audit producer(s) 104 and the auditconsumers 106 in FIG. 1 . Depending on a specific implementation ofembodiments, the communication engine 206 employs an applicablecommunication scheme to perform the communication. For example, thecommunication engine 206 perform encryption and/or decryption of datacommunication with the external devices, error detection (andcorrection) of data communication with the external devices and so on.

The secret key datastore 208 is intended to represent storage configuredto store secret key(s) of audit producer(s) (e.g., audit producer(s) 104in FIG. 1 ) and secret keys of audit consumers of different classes(e.g., audit consumers 106 in FIG. 1 ). Depending on a specificimplementation of embodiments, the secret key datastore 208 employs anapplicable data storage scheme to ensure secure data storage therein.For example, the secret key datastore 208 may encrypt data storedtherein, compartmentalize data, dynamically change data storagelocations, or perform combination thereof.

FIG. 3 is a schematic diagram depicting an example of a dataset keyserver 302 according to some embodiments. In an embodiment, the datasetkey server 302 corresponds to the dataset key server 110 depicted inFIG. 1 . In the example depicted in FIG. 3 , the dataset key server 302includes an authentication engine 304, a communication engine 306, andan encrypted dataset key datastore 308.

The authentication engine 304 functions to perform authentication of auser when an access request is received from the user through acommunication interface (not shown) of the dataset key server 302.Depending on a specific implementation of embodiments, theauthentication engine 304 employs an applicable authentication scheme toperform the authentication, in a similar manner as the authenticationengine 204 of the secret key server 202.

The communication engine 306 functions to manage communication withexternal devices, such as the audit producer(s) 104 and the auditconsumers 106 in FIG. 1 . Depending on a specific implementation ofembodiments, the communication engine 306 employs an applicablecommunication scheme to perform the communication, in a similar manneras the authentication engine 206 of the secret key server 202.

The encrypted dataset key datastore 308 is intended to represent storageconfigured to store dataset keys of one or more datasets. In someembodiments, with respect to each dataset, a plurality of encrypteddataset keys corresponding audit producer(s) (e.g., the auditproducer(s) 104 in FIG. 1 ) and audit consumers (e.g., the auditconsumers 106 in FIG. 1 ) are stored. For example, as depicted in FIG. 3, in association with a dataset identifier “D₁” of a dataset, aproducer-encrypted dataset key 310 ₁ encrypted using a public key of anaudit producer and a plurality of consumer-encrypted dataset keys 312₁₋₁-312 _(1-n), each encrypted using a public key of a correspondingaudit producer, are stored in association with a corresponding auditrole identifier (e.g., “P” for audit producer, and “C₁” through “C_(k)”for audit consumers). Similarly, in association with a datasetidentifier “D_(k)” of a dataset, a producer-encrypted dataset key 310_(k) encrypted using a public key of an audit producer and a pluralityof consumer-encrypted dataset keys 312 _(k-1)-312 _(k-n), each encryptedusing a public key of a corresponding audit producer, are stored inassociation with a corresponding audit role identifier (e.g., “P” foraudit producer, and “C₁” through “C_(k)” for audit consumers). Dependingon a specific implementation of embodiments, the encrypted dataset keydatastore 308 employs an applicable data storage scheme to ensure securedata storage therein, in a similar manner as the secret key datastore208 of the secret key server 202.

The encrypted dataset key datastore 308 is capable of deleting aconsumer-encrypted dataset key in response to a request, upon successfulauthentication of the request and/or a sender of the request by theauthentication engine 304. In some embodiments, the request issuccessfully authenticated when the sender is authorized to performdeletion. In a more specific implementation, the sender is authorized toperform the deletion when the sender is of a consumer role or classhigher than the audit consumer of the role or class subjected todeletion in a hierarchy. For example, only the inspector general mayhave authority to perform deletion.

FIG. 4 is a schematic diagram depicting an example of a dataset server402 according to some embodiments. In an embodiment, the dataset server402 corresponds to the dataset server 112 depicted in FIG. 1 . In theexample depicted in FIG. 4 , the dataset server 402 includes anauthentication engine 404, a communication engine 406, and an encrypteddataset and audit log datastore 408.

The authentication engine 404 functions to perform authentication of auser when an access request is received from the user through acommunication interface (not shown) of the dataset server 402. Dependingon a specific implementation of embodiments, the authentication engine404 employs an applicable authentication scheme to perform theauthentication, in a similar manner as the authentication engine 204 ofthe secret key server 202 and/or the authentication engine 304 of thedataset key server 302.

The communication engine 406 functions to manage communication withexternal devices, such as the audit producer(s) 104 and the auditconsumers 106 in FIG. 1 . Depending on a specific implementation ofembodiments, the communication engine 406 employs an applicablecommunication scheme to perform the communication, in a similar manneras the authentication engine 206 of the secret key server 202 and/or thecommunication engine 306 of the dataset key server 302.

The encrypted dataset and audit log datastore 408 is intended torepresent storage configured to store a dataset key of one or moredatasets. In some embodiments, with respect to each dataset, a datasetencrypted using its corresponding dataset key and one or more audit logsthat are generated in association with the dataset and encrypted usingthe corresponding dataset key are stored. For example, as depicted inFIG. 4 , in association with a dataset identifier “D₁” of a dataset, anencrypted dataset 410 ₁ that is encrypted using a dataset key thereofand one or more of audit logs 412 ₁, if any, that are also encryptedusing the dataset key of the dataset _(D1) are stored. Similarly, inassociation with a dataset identifier “D_(k)” of a dataset an encrypteddataset 410 _(k) that is encrypted using a dataset key thereof and oneor more audit logs 412 _(k), if any, that are also encrypted using thedataset key of the dataset D_(k) are stored. Depending on a specificimplementation of embodiments, the encrypted dataset and audit logdatastore 408 employs an applicable data storage scheme to ensure securedata storage therein, in a similar manner as the secret key datastore208 of the secret key server 202 and/or the encrypted dataset keydatastore 308 of the dataset key server 302.

FIG. 5 is a schematic diagram depicting an example of a flow 500 of datainvolved in a system for securely managing audit logs of datasetsaccording to some embodiments. In some embodiments, an audit producer520, an audit consumer 530, a dataset server 508, a dataset key server514 depicted in FIG. 5 correspond to the audit producer 104, the auditconsumer 106 _(n), the dataset key server 110, and the dataset server112 depicted in FIG. 1 , respectively.

When an audit role such as an audit producer and an audit consumer, iscreated, an asymmetric key pair of a public key and a secret key isgenerated. Specifically, a pair of a producer public key 510 and aproducer secret key 522 is generated for an audit producer. Similarly, apair of a consumer public key 516 and a consumer secret key 532 isgenerated for each of audit consumers 530 (consumer 1 through consumern). In some embodiments, the generated producer secret key 522 and thegenerated consumer secret keys 532 _(1-n) are securely stored in asecret key server (e.g., the secret key server 108 in FIG. 1 ).

When a dataset 502 is created, a dataset key 504 of the dataset 502,which is a symmetric key, is generated. The dataset 502 is encryptedinto an encrypted dataset 506, using the dataset key 504, and theencrypted dataset 506 is stored in a dataset server 508 (arrow A1).Further, the generated dataset key 504 is encrypted using each of theproducer public key 510 and the consumer public keys 516 _(1-n) into aproducer-encrypted dataset key 512 and consumer-encrypted dataset keys518 _(1-n), respectively and stored in the dataset key server 514 (arrowA2).

When the audit producer 520 (i.e., a user having a role of the auditproducer) accesses the dataset 502, the audit producer 520 sends to thedataset key server 514 a request for the producer-encrypted dataset key512 along with a dataset identifier (e.g., “D_(k)”) of the dataset 502and an audit producer identifier (e.g., “P”). In response, theproducer-encrypted dataset key 512 returns the producer-encrypteddataset key 512 upon authentication of the audit producer 520. Thereturned producer-encrypted dataset key 512 is decrypted using theproducer secret key 522, which is obtained from the secret key server,and a dataset key 524, which can be the same as the dataset key 504, isgenerated (arrow A3).

After receiving the producer-encrypted dataset key 512, the auditproducer 520 sends to the dataset server 508 a request for the encrypteddataset 506 along with the dataset identifier (e.g., “D_(k)”) andfurther the producer identifier. In response, the dataset server 508returns the encrypted dataset 506 upon authentication of the auditproducer 520 (arrow A4). Then, the audit producer 520 decrypts theencrypted dataset 506 into the dataset 502 (or a copy thereof) using thedataset key 524 and obtains access to the dataset 502. When the auditproducer 520 accesses the dataset 502, an audit log 526 for securepurpose is generated. The generated audit log 526 is encrypted into anencrypted audit log 528 using the dataset key 524, and the encryptedaudit log 528 is stored in the dataset server 508 in association withthe encrypted dataset 506 (arrow A5).

In some embodiments, use of the dataset key 524 has an applicablerestriction so as to improve security of data in the dataset server 508accessible with the dataset key 524, which might be improperly accessedby unauthorized entities. For example, the dataset key 524 istimestamped and usable only for a limited period of time. In anotherexample, the dataset key 524 becomes unusable upon the encrypted auditlog 508 is generated.

When the audit consumer 530 of a specific role or class (i.e., a userhaving a specific role or class of the audit consumer) accesses theencrypted audit log 508 (may also the encrypted dataset 506), the auditconsumer 530 sends to the dataset key server 514 a request for aconsumer-encrypted dataset key 514 corresponding thereto along with thedataset identifier (e.g., “D_(k)”) of the dataset 502 and an auditconsumer identifier of the role or class (e.g., “C_(n)”). In response,the dataset server 508 returns the consumer-encrypted dataset key 518_(n) upon authentication of the audit consumer 530 (arrow A6). Thereturned consumer-encrypted dataset key 518 _(n) is decrypted using theconsumer secret key 532 _(n) corresponding to the rule or class, whichis obtained from the secret key server, and a dataset key 534, which canbe the same as the dataset key 504, is generated (arrow A6).

After receiving the consumer-encrypted dataset key 518 _(n), the auditconsumer 530 sends to the dataset server 508 a request for the encryptedaudit log 528 (and also dataset 506) along with the dataset identifier(e.g., “D_(k)”), and also the consumer identifier. In response, thedataset server 508 returns the encrypted audit log 528 (and also theencrypted dataset 506) upon authentication of the audit consumer 530(arrow A4). Then, the audit consumer 530 decrypts the encrypted auditlog 528 into an audit log 536 using the dataset key 534 and obtainsaccess to the audit log 536 (arrow A7).

In some embodiments, use of the dataset key 534 has an applicablerestriction, similarly to the dataset key 524, so as to improve securityof data in the dataset server 508 accessible with the dataset key 534,which might be improperly accessed by unauthorized entities.

When an audit consumer of a role or a class should no longer have accessto the dataset 502 (encrypted dataset 506) or the audit log 526(encrypted audit log 528), a consumer-encrypted dataset key 518 storedin the dataset key server 514 is deleted. Since the audit consumer forwhich corresponding consumer-encrypted dataset key 518 has been deletedcan no longer have a decrypted dataset key to decrypt the encrypteddataset 506 and the encrypted audit log 528. Therefore, the auditconsumer of the role or class loses access to the dataset 502 and theaudit log 526. On the other hand, the consumer-encrypted dataset keys518 for audit consumers of the other roles or classes remain in thedataset key server 514. For that reason, the audit consumers of theother roles or classes do not lose access to the dataset 502 and theaudit log 526. In this manner, by selectively deleting aconsumer-encrypted dataset key corresponding to an audit consumer of aspecific role or class from the dataset key server 514, access to aspecific dataset and a specific audit log can be selectively restrictedfor the audit consumer of the specific role or class.

FIG. 6 is a flowchart 600 of an example of a method for securelymanaging and providing access to audit logs of datasets according tosome embodiments. This flowchart and other flowcharts described in thispaper illustrate modules (and potentially decision points) organized ina fashion that is conducive to understanding. It should be recognized,however, that the modules can be reorganized for parallel execution,reordered, modified (changed, removed, or augmented), wherecircumstances permit.

In FIG. 6 , modules 602-606 are carried out before or when a dataset iscreated. Specifically, in module 602, an asymmetric key pair (i.e., apublic key and a secret key) is generated for each of audit producer(s)and audit consumers of different roles. An applicable device or systemfor generating asymmetric key pairs (e.g., the audit producer(s) 104 andthe audit consumers 106 in FIG. 1 ) can generate the asymmetric keypairs.

In module 604, a symmetric key (dataset key) of a dataset is generatedupon creation of the dataset. An applicable system for generating asymmetric key (e.g., a user creating the dataset) can generate thesymmetric key.

In module 606, the symmetric key of the dataset is encrypted using eachof the public keys of the audit producer(s) and audit consumers. Anapplicable system for encrypting a symmetric key (e.g., the dataset keyserver 110 in FIG. 1 ) can encrypt the symmetric key of the dataset.

In FIG. 6 , modules 608-612 are carried out when an audit log isgenerated based on access to the dataset by an audit producer.Specifically, in module 608, a dataset key (i.e., producer-encrypteddataset key) that has been encrypted using a public key of the auditproducer (obtained in module 606) is obtained by the audit producer fromthe dataset key server.

In module 610, the obtained producer-encrypted dataset key is decryptedby the audit producer using a secret key of the audit producer, and adecrypted dataset key (i.e., the dataset key) is obtained. Further, inmodule 610, an encrypted dataset stored in the dataset server isobtained from the dataset server and decrypted using the dataset key(obtained in module 608), and a decrypted dataset (i.e., the dataset)becomes accessible by the audit producer.

In module 612, upon access to the dataset, an audit log of the datasetis generated, and the generated audit log is encrypted using the datasetkey (obtained in module 608) into an encrypted audit log, which is thenstored in the dataset server.

In FIG. 6 , modules 614-618 are carried out when the audit log (theencrypted audit log) is accessed by an audit consumer. Specifically, inmodule 614, a dataset key (i.e., consumer-encrypted dataset key) thathas been encrypted using a public key of the audit consumer (obtained inmodule 606) is obtained by the audit consumer from the dataset keyserver.

In module 616, the obtained consumer-encrypted dataset key is decryptedby the audit consumer using a secret key of the audit consumer, and adecrypted dataset key (i.e., the dataset key) is obtained. Further, inmodule 616, the encrypted audit log stored in the dataset server isobtained from the dataset server.

In module 618, the obtained encrypted audit log is decrypted using thedataset key (obtained in module 614), and a decrypted audit log (i.e.,the audit log) becomes accessible by the audit consumer.

FIG. 7 is a flowchart 700 of an example of a method for disabling accessto audit logs of datasets according to some embodiments. In FIG. 7 ,modules 702-706 are carried out by an applicable dataset key server suchas the dataset key server 110 in FIG. 1 .

In module 702, an encrypted dataset key (e.g., the producer-encrypteddataset key in module 606 of FIG. 6 ) for an audit producer andencrypted dataset keys (e.g., the consumer-encrypted dataset keys inmodule 606 of FIG. 6 ) for audit consumers of different roles or classesare stored in a dataset key server.

In decision point 704, it is determined whether or not a request todelete a consumer-encrypted dataset key is received. In someembodiments, the request to delete the consumer-encrypted dataset key isreceivable or acceptable only from an audit consumer of a different roleor class (e.g., higher in a hierarchy) from which the role or class forwhich the access is disabled. If the decision result of decision point704 is yes (Y in FIG. 7 ), the flowchart 700 proceeds to module 706. Ifthe decision result is no (N in FIG. 7 ), the flowchart 700 repeats thedecision point 704.

In module 706, the consumer-encrypted dataset key corresponding to thereceived request is deleted from the dataset key server. Once, theconsumer-encrypted dataset key is deleted, the audit consumer of thedeleted role or class loses access to the corresponding dataset and theaudit log.

Hardware Implementation

The techniques described herein are implemented by one or morespecial-purpose computing devices. The special-purpose computing devicesmay be hard-wired to perform the techniques, or may include circuitry ordigital electronic devices such as one or more application-specificintegrated circuits (ASICs) or field programmable gate arrays (FPGAs)that are persistently programmed to perform the techniques, or mayinclude one or more hardware processors programmed to perform thetechniques pursuant to program instructions in firmware, memory, otherstorage, or a combination. Such special-purpose computing devices mayalso combine custom hard-wired logic, ASICs, or FPGAs with customprogramming to accomplish the techniques. The special-purpose computingdevices may be desktop computer systems, server computer systems,portable computer systems, handheld devices, networking devices or anyother device or combination of devices that incorporate hard-wiredand/or program logic to implement the techniques.

Computing device(s) are generally controlled and coordinated byoperating system software, such as iOS, Android, Chrome OS, Windows XP,Windows Vista, Windows 7, Windows 8, Windows Server, Windows CE, Unix,Linux, SunOS, Solaris, iOS, Blackberry OS, VxWorks, or other compatibleoperating systems. In other embodiments, the computing device may becontrolled by a proprietary operating system. Conventional operatingsystems control and schedule computer processes for execution, performmemory management, provide file system, networking, I/O services, andprovide a user interface functionality, such as a graphical userinterface (“GUI”), among other things.

FIG. 8 is a block diagram that illustrates a computer system 800 uponwhich any of the embodiments described herein may be implemented. Thecomputer system 800 includes a bus 802 or other communication mechanismfor communicating information, one or more hardware processors 804coupled with bus 802 for processing information. Hardware processor(s)804 may be, for example, one or more general purpose microprocessors.

The computer system 800 also includes a main memory 806, such as arandom access memory (RAM), cache and/or other dynamic storage devices,coupled to bus 802 for storing information and instructions to beexecuted by processor 604. Main memory 806 also may be used for storingtemporary variables or other intermediate information during executionof instructions to be executed by processor 804. Such instructions, whenstored in storage media accessible to processor 804, render computersystem 800 into a special-purpose machine that is customized to performthe operations specified in the instructions.

The computer system 800 further includes a read only memory (ROM) 808 orother static storage device coupled to bus 802 for storing staticinformation and instructions for processor 704. A storage device 810,such as a magnetic disk, optical disk, or USB thumb drive (Flash drive),etc., is provided and coupled to bus 802 for storing information andinstructions.

The computer system 800 may be coupled via bus 802 to a display 812,such as a cathode ray tube (CRT) or LCD display (or touch screen), fordisplaying information to a computer user. An input device 814,including alphanumeric and other keys, is coupled to bus 602 forcommunicating information and command selections to processor 804.Another type of user input device is cursor control 816, such as amouse, a trackball, or cursor direction keys for communicating directioninformation and command selections to processor 804 and for controllingcursor movement on display 812. This input device typically has twodegrees of freedom in two axes, a first axis (e.g., x) and a second axis(e.g., y), that allows the device to specify positions in a plane. Insome embodiments, the same direction information and command selectionsas cursor control may be implemented via receiving touches on a touchscreen without a cursor.

The computing system 800 may include a user interface module toimplement a GUI that may be stored in a mass storage device asexecutable software codes that are executed by the computing device(s).This and other modules may include, by way of example, components, suchas software components, object-oriented software components, classcomponents and task components, processes, functions, attributes,procedures, subroutines, segments of program code, drivers, firmware,microcode, circuitry, data, databases, data structures, tables, arrays,and variables.

In general, the word “module,” as used herein, refers to logic embodiedin hardware or firmware, or to a collection of software instructions,possibly having entry and exit points, written in a programminglanguage, such as, for example, Java, C or C++. A software module may becompiled and linked into an executable program, installed in a dynamiclink library, or may be written in an interpreted programming languagesuch as, for example, BASIC, Perl, or Python. It will be appreciatedthat software modules may be callable from other modules or fromthemselves, and/or may be invoked in response to detected events orinterrupts. Software modules configured for execution on computingdevices may be provided on a computer readable medium, such as a compactdisc, digital video disc, flash drive, magnetic disc, or any othertangible medium, or as a digital download (and may be originally storedin a compressed or installable format that requires installation,decompression or decryption prior to execution). Such software code maybe stored, partially or fully, on a memory device of the executingcomputing device, for execution by the computing device. Softwareinstructions may be embedded in firmware, such as an EPROM. It will befurther appreciated that hardware modules may be comprised of connectedlogic units, such as gates and flip-flops, and/or may be comprised ofprogrammable units, such as programmable gate arrays or processors. Themodules or computing device functionality described herein arepreferably implemented as software modules, but may be represented inhardware or firmware. Generally, the modules described herein refer tological modules that may be combined with other modules or divided intosub-modules despite their physical organization or storage.

The computer system 800 may implement the techniques described hereinusing customized hard-wired logic, one or more ASICs or FPGAs, firmwareand/or program logic which in combination with the computer systemcauses or programs computer system 800 to be a special-purpose machine.According to one embodiment, the techniques herein are performed bycomputer system 800 in response to processor(s) 804 executing one ormore sequences of one or more instructions contained in main memory 806.Such instructions may be read into main memory 806 from another storagemedium, such as storage device 810. Execution of the sequences ofinstructions contained in main memory 806 causes processor(s) 804 toperform the process steps described herein. In alternative embodiments,hard-wired circuitry may be used in place of or in combination withsoftware instructions.

The term “non-transitory media,” and similar terms, as used hereinrefers to any media that store data and/or instructions that cause amachine to operate in a specific fashion. Such non-transitory media maycomprise non-volatile media and/or volatile media. Non-volatile mediaincludes, for example, optical or magnetic disks, such as storage device810. Volatile media includes dynamic memory, such as main memory 806.Common forms of non-transitory media include, for example, a floppydisk, a flexible disk, hard disk, solid state drive, magnetic tape, orany other magnetic data storage medium, a CD-ROM, any other optical datastorage medium, any physical medium with patterns of holes, a RAM, aPROM, and EPROM, a FLASH-EPROM, NVRAM, any other memory chip orcartridge, and networked versions of the same.

Non-transitory media is distinct from but may be used in conjunctionwith transmission media. Transmission media participates in transferringinformation between non-transitory media. For example, transmissionmedia includes coaxial cables, copper wire and fiber optics, includingthe wires that comprise bus 802. Transmission media can also take theform of acoustic or light waves, such as those generated duringradio-wave and infra-red data communications.

Various forms of media may be involved in carrying one or more sequencesof one or more instructions to processor 804 for execution. For example,the instructions may initially be carried on a magnetic disk or solidstate drive of a remote computer. The remote computer can load theinstructions into its dynamic memory and send the instructions over atelephone line using a modem. A modem local to computer system 800 canreceive the data on the telephone line and use an infra-red transmitterto convert the data to an infra-red signal. An infra-red detector canreceive the data carried in the infra-red signal and appropriatecircuitry can place the data on bus 802. Bus 802 carries the data tomain memory 806, from which processor 804 retrieves and executes theinstructions. The instructions received by main memory 806 may retrievesand executes the instructions. The instructions received by main memory806 may optionally be stored on storage device 810 either before orafter execution by processor 804.

The computer system 800 also includes a communication interface 818coupled to bus 802. Communication interface 818 provides a two-way datacommunication coupling to one or more network links that are connectedto one or more local networks. For example, communication interface 818may be an integrated services digital network (ISDN) card, cable modem,satellite modem, or a modem to provide a data communication connectionto a corresponding type of telephone line. As another example,communication interface 818 may be a local area network (LAN) card toprovide a data communication connection to a compatible LAN (or WANcomponent to communicated with a WAN). Wireless links may also beimplemented. In any such implementation, communication interface 818sends and receives electrical, electromagnetic or optical signals thatcarry digital data streams representing various types of information.

A network link typically provides data communication through one or morenetworks to other data devices. For example, a network link may providea connection through local network to a host computer or to dataequipment operated by an Internet Service Provider (ISP). The ISP inturn provides data communication services through the world wide packetdata communication network now commonly referred to as the “Internet”.Local network and Internet both use electrical, electromagnetic oroptical signals that carry digital data streams. The signals through thevarious networks and the signals on network link and throughcommunication interface 818, which carry the digital data to and fromcomputer system 800, are example forms of transmission media.

The computer system 800 can send messages and receive data, includingprogram code, through the network(s), network link and communicationinterface 818. In the Internet example, a server might transmit arequested code for an application program through the Internet, the ISP,the local network and the communication interface 818.

The received code may be executed by processor 804 as it is received,and/or stored in storage device 810, or other non-volatile storage forlater execution.

Each of the processes, methods, and algorithms described in thepreceding sections may be embodied in, and fully or partially automatedby, code modules executed by one or more computer systems or computerprocessors comprising computer hardware. The processes and algorithmsmay be implemented partially or wholly in application-specificcircuitry.

The various features and processes described above may be usedindependently of one another, or may be combined in various ways. Allpossible combinations and sub-combinations are intended to fall withinthe scope of this disclosure. In addition, certain method or processblocks may be omitted in some implementations. The methods and processesdescribed herein are also not limited to any particular sequence, andthe blocks or states relating thereto can be performed in othersequences that are appropriate. For example, described blocks or statesmay be performed in an order other than that specifically disclosed, ormultiple blocks or states may be combined in a single block or state.The example blocks or states may be performed in serial, in parallel, orin some other manner. Blocks or states may be added to or removed fromthe disclosed example embodiments. The example systems and componentsdescribed herein may be configured differently than described. Forexample, elements may be added to, removed from, or rearranged comparedto the disclosed example embodiments.

Conditional language, such as, among others, “can,” “could,” “might,” or“may,” unless specifically stated otherwise, or otherwise understoodwithin the context as used, is generally intended to convey that certainembodiments include, while other embodiments do not include, certainfeatures, elements and/or steps. Thus, such conditional language is notgenerally intended to imply that features, elements and/or steps are inany way required for one or more embodiments or that one or moreembodiments necessarily include logic for deciding, with or without userinput or prompting, whether these features, elements and/or steps areincluded or are to be performed in any particular embodiment.

Any process descriptions, elements, or blocks in the flow diagramsdescribed herein and/or depicted in the attached figures should beunderstood as potentially representing modules, segments, or portions ofcode which include one or more executable instructions for implementingspecific logical functions or steps in the process. Alternateimplementations are included within the scope of the embodimentsdescribed herein in which elements or functions may be deleted, executedout of order from that shown or discussed, including substantiallyconcurrently or in reverse order, depending on the functionalityinvolved, as would be understood by those skilled in the art.

It should be emphasized that many variations and modifications may bemade to the above-described embodiments, the elements of which are to beunderstood as being among other acceptable examples. All suchmodifications and variations are intended to be included herein withinthe scope of this disclosure. The foregoing description details certainembodiments of the invention. It will be appreciated, however, that nomatter how detailed the foregoing appears in text, the invention can bepracticed in many ways. As is also stated above, it should be noted thatthe use of particular terminology when describing certain features oraspects of the invention should not be taken to imply that theterminology is being re-defined herein to be restricted to including anyspecific characteristics of the features or aspects of the inventionwith which that terminology is associated. The scope of the inventionshould therefore be construed in accordance with the appended claims andany equivalents thereof.

Engines, Components, and Logic

Certain embodiments are described herein as including logic or a numberof components, engines, or mechanisms. Engines may comprise softwareengines (e.g., code embodied on a machine-readable medium) and/orhardware engines. A “hardware engine” is a tangible unit capable ofperforming certain operations and may be configured or arranged in acertain physical manner. In various example embodiments, one or morecomputer systems (e.g., a standalone computer system, a client computersystem, or a server computer system) or one or more hardware engines ofa computer system (e.g., a processor or a group of processors) may beconfigured by software (e.g., an application or application portion) asa hardware engine that operates to perform certain operations asdescribed herein.

In some embodiments, a hardware engine may be implemented mechanically,electronically, or any suitable combination thereof. For example, ahardware engine may include dedicated circuitry or logic that ispermanently configured to perform certain operations. For example, ahardware engine may be a special-purpose processor, such as aField-Programmable Gate Array (FPGA) or an Application SpecificIntegrated Circuit (ASIC). A hardware engine may also includeprogrammable logic or circuitry that is temporarily configured bysoftware to perform certain operations. For example, a hardware enginemay include software executed by a general-purpose processor or otherprogrammable processor. Once configured by such software, hardwareengines become specific machines (or specific components of a machine)uniquely tailored to perform the configured functions and are no longergeneral-purpose processors. It will be appreciated that the decision toimplement a hardware engine mechanically, in dedicated and permanentlyconfigured circuitry, or in temporarily configured circuitry (e.g.,configured by software) may be driven by cost and time considerations.

Accordingly, the phrase “hardware engine” should be understood toencompass a tangible entity, be that an entity that is physicallyconstructed, permanently configured (e.g., hardwired), or temporarilyconfigured (e.g., programmed) to operate in a certain manner or toperform certain operations described herein. As used herein,“hardware-implemented engine” refers to a hardware engine. Consideringembodiments in which hardware engines are temporarily configured (e.g.,programmed), each of the hardware engines need not be configured orinstantiated at any one instance in time. For example, where a hardwareengine comprises a general-purpose processor configured by software tobecome a special-purpose processor, the general-purpose processor may beconfigured as respectively different special-purpose processors (e.g.,comprising different hardware engines) at different times. Softwareaccordingly configures a particular processor or processors, forexample, to constitute a particular hardware engine at one instance oftime and to constitute a different hardware engine at a differentinstance of time.

Hardware engines can provide information to, and receive informationfrom, other hardware engines. Accordingly, the described hardwareengines may be regarded as being communicatively coupled. Where multiplehardware engines exist contemporaneously, communications may be achievedthrough signal transmission (e.g., over appropriate circuits and buses)between or among two or more of the hardware engines. In embodiments inwhich multiple hardware engines are configured or instantiated atdifferent times, communications between such hardware engines may beachieved, for example, through the storage and retrieval of informationin memory structures to which the multiple hardware engines have access.For example, one hardware engine may perform an operation and store theoutput of that operation in a memory device to which it iscommunicatively coupled. A further hardware engine may then, at a latertime, access the memory device to retrieve and process the storedoutput. Hardware engines may also initiate communications with input oroutput devices, and can operate on a resource (e.g., a collection ofinformation).

The various operations of example methods described herein may beperformed, at least partially, by one or more processors that aretemporarily configured (e.g., by software) or permanently configured toperform the relevant operations. Whether temporarily or permanentlyconfigured, such processors may constitute processor-implemented enginesthat operate to perform one or more operations or functions describedherein. As used herein, “processor-implemented engine” refers to ahardware engine implemented using one or more processors.

Similarly, the methods described herein may be at least partiallyprocessor-implemented, with a particular processor or processors beingan example of hardware. For example, at least some of the operations ofa method may be performed by one or more processors orprocessor-implemented engines. Moreover, the one or more processors mayalso operate to support performance of the relevant operations in a“cloud computing” environment or as a “software as a service” (SaaS).For example, at least some of the operations may be performed by a groupof computers (as examples of machines including processors), with theseoperations being accessible via a network (e.g., the Internet) and viaone or more appropriate interfaces (e.g., an Application ProgramInterface (API)).

The performance of certain of the operations may be distributed amongthe processors, not only residing within a single machine, but deployedacross a number of machines. In some example embodiments, the processorsor processor-implemented engines may be located in a single geographiclocation (e.g., within a home environment, an office environment, or aserver farm). In other example embodiments, the processors orprocessor-implemented engines may be distributed across a number ofgeographic locations.

Language

Throughout this specification, plural instances may implementcomponents, operations, or structures described as a single instance.Although individual operations of one or more methods are illustratedand described as separate operations, one or more of the individualoperations may be performed concurrently, and nothing requires that theoperations be performed in the order illustrated. Structures andfunctionality presented as separate components in example configurationsmay be implemented as a combined structure or component. Similarly,structures and functionality presented as a single component may beimplemented as separate components. These and other variations,modifications, additions, and improvements fall within the scope of thesubject matter herein.

Although an overview of the subject matter has been described withreference to specific example embodiments, various modifications andchanges may be made to these embodiments without departing from thebroader scope of embodiments of the present disclosure. Such embodimentsof the subject matter may be referred to herein, individually orcollectively, by the term “invention” merely for convenience and withoutintending to voluntarily limit the scope of this application to anysingle disclosure or concept if more than one is, in fact, disclosed.

The embodiments illustrated herein are described in sufficient detail toenable those skilled in the art to practice the teachings disclosed.Other embodiments may be used and derived therefrom, such thatstructural and logical substitutions and changes may be made withoutdeparting from the scope of this disclosure. The Detailed Description,therefore, is not to be taken in a limiting sense, and the scope ofvarious embodiments is defined only by the appended claims, along withthe full range of equivalents to which such claims are entitled.

It will be appreciated that an “engine,” “system,” “data store,” and/or“database” may comprise software, hardware, firmware, and/or circuitry.In one example, one or more software programs comprising instructionscapable of being executable by a processor may perform one or more ofthe functions of the engines, data stores, databases, or systemsdescribed herein. In another example, circuitry may perform the same orsimilar functions. Alternative embodiments may comprise more, less, orfunctionally equivalent engines, systems, data stores, or databases, andstill be within the scope of present embodiments. For example, thefunctionality of the various systems, engines, data stores, and/ordatabases may be combined or divided differently.

“Open source” software is defined herein to be source code that allowsdistribution as source code as well as compiled form, with awell-publicized and indexed means of obtaining the source, optionallywith a license that allows modifications and derived works.

The data stores described herein may be any suitable structure (e.g., anactive database, a relational database, a self-referential database, atable, a matrix, an array, a flat file, a documented-oriented storagesystem, a non-relational No-SQL system, and the like), and may becloud-based or otherwise.

As used herein, the term “or” may be construed in either an inclusive orexclusive sense. Moreover, plural instances may be provided forresources, operations, or structures described herein as a singleinstance. Additionally, boundaries between various resources,operations, engines, engines, and data stores are somewhat arbitrary,and particular operations are illustrated in a context of specificillustrative configurations. Other allocations of functionality areenvisioned and may fall within a scope of various embodiments of thepresent disclosure. In general, structures and functionality presentedas separate resources in the example configurations may be implementedas a combined structure or resource. Similarly, structures andfunctionality presented as a single resource may be implemented asseparate resources. These and other variations, modifications,additions, and improvements fall within a scope of embodiments of thepresent disclosure as represented by the appended claims. Thespecification and drawings are, accordingly, to be regarded in anillustrative rather than a restrictive sense.

Conditional language, such as, among others, “can,” “could,” “might,” or“may,” unless specifically stated otherwise, or otherwise understoodwithin the context as used, is generally intended to convey that certainembodiments include, while other embodiments do not include, certainfeatures, elements and/or steps. Thus, such conditional language is notgenerally intended to imply that features, elements and/or steps are inany way required for one or more embodiments or that one or moreembodiments necessarily include logic for deciding, with or without userinput or prompting, whether these features, elements and/or steps areincluded or are to be performed in any particular embodiment.

Although the invention has been described in detail for the purpose ofillustration based on what is currently considered to be the mostpractical and preferred implementations, it is to be understood thatsuch detail is solely for that purpose and that the invention is notlimited to the disclosed implementations, but, on the contrary, isintended to cover modifications and equivalent arrangements that arewithin the spirit and scope of the appended claims. For example, it isto be understood that the present invention contemplates that, to theextent possible, one or more features of any embodiment can be combinedwith one or more features of any other embodiment.

The invention claimed is:
 1. A system, comprising: one or moreprocessors; and a memory storing instructions that, when executed by theone or more processors, cause the system to perform: generating a firstkey commensurate with a first access privilege to a dataset; providingaccess to the dataset commensurate with the first access privilege inresponse to receiving and authenticating the first key; in response tothe providing of access to the dataset, generating a log for thedataset, the log being divided into a secured data portion commensuratewith the first access privilege and an unsecured data portioncommensurate with a second access privilege lower than the first accessprivilege, the secured data portion being inaccessible under the secondaccess privilege.
 2. The system of claim 1, wherein the instructionsfurther cause the system to perform: generating an additional key inresponse to generating an additional dataset; encrypting the additionalkey; storing the encrypted additional key within a first datastore;receiving a request to access the additional dataset; decrypting theencrypted additional key; authenticating the decrypted additional key;providing access to the additional dataset; in response to providing theaccess, generating a log corresponding to the additional dataset; andstoring the log within a second datastore.
 3. The system of claim 2,wherein the instructions further cause the system to perform: encryptingthe log, and wherein: the providing of the access to the additionaldataset comprises decrypting the additional dataset, wherein theadditional dataset is stored in association with the log.
 4. The systemof claim 2, wherein the instructions further cause the system toperform: encrypting the log corresponding to the additional datasetusing the additional key.
 5. The system of claim 4, wherein theencrypting of the additional key is via a public key.
 6. The system ofclaim 4, wherein the instructions further cause the system to perform:receiving a request for deletion of the additional key; determiningwhether an access privilege corresponding to the request for deletionexceeds the first access privilege; deleting the additional key inresponse to the access privilege exceeding the first access privilege;and refraining from deleting the additional key in response to theaccess privilege being equal or less than the first access privilege. 7.The system of claim 2, wherein the encrypted additional key is decryptedusing a secret key.
 8. The system of claim 1, wherein the instructionsfurther cause the system to perform: inactivating the first key inresponse to the log being generated.
 9. The system of claim 1, whereinthe generating of the first key comprises encrypting a symmetric keybased on a public key of a user corresponding to the first accessprivilege and decrypting the encrypted symmetric key.
 10. The system ofclaim 1, wherein the instructions further cause the system to perform:generating individual logs corresponding to individual access requestsby different users, wherein the individual logs comprise respectivesecured data portions and unsecured data portions.
 11. A systemcomprising: one or more processors; and a memory storing instructionsthat, when executed by the one or more processors, cause the system toperform: obtaining, from a first server, an encrypted symmetric key fora dataset, the encrypted symmetric key being encrypted using a publickey; decrypting the obtained encrypted symmetric key using a secret keycorresponding to the public key; obtaining, from a second server, anencrypted dataset that is generated by encrypting the dataset;decrypting the encrypted dataset using the decrypted symmetric key; andupon access to the decrypted dataset, generating a log for the decrypteddataset, the log being divided into a secured data portion commensuratewith the first access privilege and an unsecured data portioncommensurate with a second access privilege lower than the first accessprivilege, the secured data portion being inaccessible under the secondaccess privilege.
 12. The system of claim 11, wherein the instructionsfurther cause the system to perform: generating an additional key inresponse to generating an additional dataset; encrypting the additionalkey; storing the encrypted additional key within a first datastore;receiving a request to access the additional dataset; decrypting theencrypted additional key; authenticating the decrypted additional key;providing access to the additional dataset; in response to providing theaccess, generating a log corresponding to the additional dataset; andstoring the log within a second datastore.
 13. The system of claim 12,wherein the instructions further cause the system to perform: encryptingthe log, and wherein: the providing of the access to the additionaldataset comprises decrypting the additional dataset, wherein theadditional dataset is stored in association with the log.
 14. The systemof claim 12, wherein the instructions further cause the system toperform: encrypting the log corresponding to the additional datasetusing the additional key.
 15. The system of claim 14, wherein theinstructions further cause the system to perform: receiving a requestfor deletion of the additional key; determining whether an accessprivilege corresponding to the request for deletion exceeds the firstaccess privilege; deleting the additional key in response to the accessprivilege exceeding the first access privilege; and refraining fromdeleting the additional key in response to the access privilege beingequal or less than the first access privilege.
 16. A system comprising:one or more processors; and a memory storing instructions that, whenexecuted by the one or more processors, cause the system to perform:obtaining, from a first server, an encrypted symmetric key for adataset, the encrypted symmetric key being encrypted using a public key;decrypting the obtained encrypted symmetric key using a secret keycorresponding to the public key; obtaining, from a second server, anencrypted log that is generated by encrypting a log that is generatedwhen the dataset is accessed; and decrypting the encrypted log using thedecrypted symmetric key, wherein the encrypted log is divided into asecured data portion commensurate with the first access privilege and anunsecured data portion commensurate with a second access privilege lowerthan the first access privilege, the secured data portion beinginaccessible under the second access privilege.
 17. The system of claim16, wherein the instructions further cause the system to perform:generating an additional key in response to generating an additionaldataset; encrypting the additional key; storing the encrypted additionalkey within a first datastore; receiving a request to access theadditional dataset; decrypting the encrypted additional key;authenticating the decrypted additional key; providing access to theadditional dataset; in response to providing the access, generating alog corresponding to the additional dataset; and storing the log withina second datastore.
 18. The system of claim 17, wherein the instructionsfurther cause the system to perform: encrypting the log, and wherein:the providing of the access to the additional dataset comprisesdecrypting the additional dataset, wherein the additional dataset isstored in association with the log.
 19. The system of claim 17, whereinthe instructions further cause the system to perform: encrypting the logcorresponding to the additional dataset using the additional key. 20.The system of claim 19, wherein the instructions further cause thesystem to perform: receiving a request for deletion of the additionalkey; determining whether an access privilege corresponding to therequest for deletion exceeds the first access privilege; deleting theadditional key in response to the access privilege exceeding the firstaccess privilege; and refraining from deleting the additional key inresponse to the access privilege being equal or less than the firstaccess privilege.